October 26, 2022

VMware Patches Critical Cloud Foundation RCE Vulnerability

VMware has released a security update to address a critical vulnerability in VMware Cloud Foundation.
Unauthenticated threat actors can exploit the vulnerability remotely (RCE) in low-complexity attacks that do not require user interaction.

The Vulnerability

• CVE-2021-39144, (CVSS 3.1: 9.8, Critical) – Vulnerability in the XStream open-source library used by the Cloud Foundation.
  Unauthenticated malicious actors on the appliance can perform remote code execution (RCE) in the context of ‘root’.

Affected Products

• VMware Cloud Foundation (NSX-V) utilizing XStream version prior to 1.4.19.

Mitigation

CYREBRO recommends affected clients to apply the NSX-V 6.4.14 patch on VMware Cloud Foundation 3.x to mitigate the vulnerability.

References: VMWare Advisory